RE: SQL Problem

An injection attack occurs when you embed additional SQL commands into an external SQL statement. Taking Charles' example, if you have:

wSQL = 'select * from XYZ where fld2 = ' + QUOTE + inFld2Value + QUOTE;

An injection attack could occur by adding additional commands within the inFld2Value parameter. So if inFld2Value had a value of "a';DROP TABLE users; select * from users where t='", it would have the potential to not find anything in the first statement and then attempt to drop a table named users and then attempt to query the users table.

/b;

-----Original Message-----
From: rpg400-l-bounces@xxxxxxxxxxxx [mailto:rpg400-l-bounces@xxxxxxxxxxxx] On Behalf Of David FOXWELL
Sent: Tuesday, October 20, 2009 8:49 AM
To: RPG programming on the IBM i / System i
Subject: RE: SQL Problem

-----Message d'origine-----
[mailto:rpg400-l-bounces@xxxxxxxxxxxx] De la part de Charles Wilt
Note however, if you have something like so

wSQL = 'select * from XYZ where fld2 = ' + QUOTE +
inFld2Value + QUOTE;

you are opening yourself up to SQL injection attacks.
Instead, you should use parametrized statements:

wSQL = 'select * from XYZ where fld2 = ?';

/exec SQL prepare C1 from :wSQL;

/exec SQL open C1 using :inFld2Value;

Charles,
Can you illustrate what you mean by an injection attack?

Thanks.

--
This is the RPG programming on the IBM i / System i (RPG400-L) mailing list
To post a message email: RPG400-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/rpg400-l.